robur-coop · dinosaure · Jun 13, 2024 · Jun 4, 2024 · Jun 5, 2024 · Jun 5, 2024
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,6 @@
+.git
+_build
+*.xen
+*.bz2
+*.tar.bz2
+*.tgz
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,32 @@
+name: Main workflow
+
+on:
+  pull_request:
+  push:
+  schedule:
+    # Prime the caches every Monday
+    - cron: 0 1 * * MON
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - run: ./build-with.sh docker
+
+      - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: miragevpn.tar.bz2
+          path: miragevpn.tar.bz2
diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml
@@ -0,0 +1,32 @@
+name: Main workflow
+
+on:
+  pull_request:
+  push:
+  schedule:
+    # Prime the caches every Monday
+    - cron: 0 1 * * MON
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - run: ./build-with.sh podman
+
+      - run: sh -exc 'if [ $(sha256sum dist/qubes-firewall.xen | cut -d " " -f 1) = $(grep "SHA2 last known" build-with.sh | rev | cut -d ":" -f 1 | rev | cut -d "\"" -f 1 | tr -d " ") ]; then echo "SHA256 MATCHES"; else exit 42; fi'
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: mirage-firewall.tar.bz2
+          path: mirage-firewall.tar.bz2
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,36 @@
+# Pin the base image to a specific hash for maximum reproducibility.
+# It will probably still work on newer images, though, unless an update
+# changes some compiler optimisations (unlikely).
+# bookworm-slim taken from https://hub.docker.com/_/debian/tags?page=1&name=bookworm-slim
+FROM debian@sha256:3d5df92588469a4c503adbead0e4129ef3f88e223954011c2169073897547cac
+# install remove default packages repository
+RUN rm /etc/apt/sources.list.d/debian.sources
+# and set the package source to a specific release too
+# taken from https://snapshot.debian.org/archive/debian
+RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20240419T024211Z bookworm main\n" > /etc/apt/sources.list
+# taken from https://snapshot.debian.org/archive/debian-security/
+RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20240419T111010Z bookworm-security main\n" >> /etc/apt/sources.list
+
+RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
+RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.5/opam-2.1.5-i686-linux && chmod 755 /usr/bin/opam
+# taken from https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh
+RUN test `sha512sum /usr/bin/opam | cut -d' ' -f1` = \
+"38802b3079eeceb27aab3465bfd0f9f05a710dccf9487eb35fa2c02fbaf9a0659e1447aa19dd36df9cd01f760229de28c523c08c1c86a3aa3f5e25dbe7b551dd" || exit
+
+ENV OPAMROOT=/tmp
+ENV OPAMCONFIRMLEVEL=unsafe-yes
+# Pin last known-good version for reproducible builds.
+# Remove this line (and the base image pin above) if you want to test with the
+# latest versions.
+# taken from https://github.com/ocaml/opam-repository
+RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#f9f113a6bb242a13702859873fa0fcef9146eb6a
+RUN opam switch create myswitch 4.14.2
+RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
+RUN opam pin https://github.com/robur-coop/miragevpn.git#cd7d999321e13993862af649977689aa96a7e114
+RUN mkdir /tmp/orb-build
+ADD config.ml /tmp/orb-build/config.ml
+WORKDIR /tmp/orb-build
+CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\
+opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\
+mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \
+&& make depend && make build'
diff --git a/build-with.sh b/build-with.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -eu
+
+if [[ $# -ne 1 ]] ; then
+	echo "Usage: build-with.sh { docker | podman }"
+	exit 1
+fi
+
+builder=$1
+case $builder in
+	docker|podman)
+	;;
+	*)
+	echo "You should use either docker or podman for building"
+	exit 2
+esac
+
+echo Building $builder image with dependencies..
+$builder build -t qubes-miragevpn .
+echo Building MirageVPN...
+$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-miragevpn
+echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
+echo "SHA2 last known: 0cbb202c1b93e10ad115c9e988f9384005656c0855ec9deaf05a5e9ac9972984"
+echo "(hashes should match for released versions)"
diff --git a/config.ml b/config.ml
@@ -29,7 +29,7 @@ let main =
     (random @-> mclock @-> pclock @-> time @-> qubesdb @-> stackv4v6 @-> kv_ro @-> job)
 
 let () =
-  register "qubes-unikernel"
+  register "qubes-miragevpn"
     [
       main $ default_random $ default_monotonic_clock $ default_posix_clock
       $ default_time

diff --git a/unikernel.ml b/unikernel.ml
@@ -307,5 +307,6 @@ struct
           ; oc= Lwt_stream.create ()
           ; ic= Lwt_stream.create ()
           ; clients } in
-      Lwt.pick [ shutdown; wait_clients t; ovpn_loop t; ingest_private t; packets_to_clients t ]
+      let* () = Lwt.pick [ shutdown; wait_clients t; ovpn_loop t; ingest_private t; packets_to_clients t ] in
+      S.disconnect vif0
 end